Data law awareness scramble for Irish firms

It will come “down to the wire” as to whether Irish firms will be compliant with the new data-protection laws introduced by the EU next year, an expect in the area has said

a data protection expert has said.

Noel Doherty, a partner at Cork-based Fitzgerald’s Solicitors, said firms have to accept that “data-protection rules would fundamentally change” when the General Data Protection Regulation (GDPR) becomes law next May.

The regulation was ratified following four years of negotiation, replacing the existing directive on data protection. Unlike an EU directive, which can be implemented over a certain time, the regulation is made law once it begins in May 2018, meaning penalties can be imposed from day one.

The regulation is designed to harmonise data privacy laws across Europe and to protect citizens’ data privacy. It not only applies to organisations within the EU but also to firms that do business inside member states.

If companies fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.

It has been two years since notice of the fundamental change to privacy laws was given. The Government has had 18 months

to date since the publication of the GDPR, “and yet we are down to the wire”, said Mr Doherty.

“In May 2016 the GDPR was finally agreed at EU level, it became law but its application was postponed until May 2018,” he said.

“In May 2017, the data commissioner launched a significant information campaign to help businesses and organisations to prepare for the introduction of GDPR. The data protection commissioner stated that 12 months is not a long time and nobody can afford to delay.”

The Government has been working on drafting legislation that would complement the EU’s regulation on data protection, but it has been left very late in the day, said Mr Doherty.

In May 2017, it published the general scheme of its Data Protection Bill 2017, which is the form that legislation takes at a preliminary stage before it is drafted as a bill.

It is expected that the draft of the bill will be completed before the end of the year and that it will come before the Dáil and Seanad in the new year.

Mr Doherty said: “A bill of this size and importance would normally take a number of months to go through legislative scrutiny. It looks like we will be down to the wire and we will be very lucky if the legislation is finalised prior to May 25 next year.

“At best, businesses and organisations will have to wait until the GDPR rules become active on May 25 to know how the regulation will apply in Ireland.

“At worst, businesses may have to operate in a vacuum in the absence of legislation.

“Data subjects who will have significantly enhanced rights under the GDPR may not have a mechanism to pursue those rights. We have had 18 months to date since the publication of the GDPR and yet we are down to the wire.”

The GDPR is the most significant data-protection measure ever introduced and must not be underestimated, according to the vast majority of experts.

The chief executive of Cork-based Smarttech, Ronan Murphy, said recently that the law was a “monster” in its scope, adding that a massive push was needed to make as many organisations as possible aware before the May deadline.